Amazon offers a pay-per-use key management service, AWS KMS. This service can
be used to encrypt data on S3 using keys which can be centrally managed and assigned to
specific roles and IAM accounts.

The AWS KMS can
be used by S3 to encrypt uploaded data. When uploading data encrypted with
SSE-KMS, the named key that was used to encrypt the data is retrieved from the KMS
service, and used to encode the per-object secret which encrypts the uploaded data. To
decode the data, the same key must be retrieved from KMS and used to unencrypt the
per-object secret key, which is then used to decode the actual file.

KMS keys can be managed by an organization's administrators in AWS, including having
access permissions assigned and removed from specific users, groups, and IAM roles. Only
those "principals" with granted rights to a key may access it, hence only they may encrypt
data with the key, and decrypt data encrypted with it.
This allows KMS to be used to provide a cryptographically secure access control mechanism
for data stores on S3.

Note

AWS KMS service is not related to the Key
Management Service built into Hadoop (Hadoop KMS).
The Hadoop KMS primarily focuses on managing keys
for HDFS Transparent Encryption. Similarly, HDFS
encryption is unrelated to S3 data encryption.